[Opendnssec-user] Version 1.1.0 and KSK rollover logic

Antti Ristimäki antti.ristimaki at csc.fi
Wed Jul 7 04:50:41 UTC 2010

On Tue, 2010-07-06 at 23:12 +0300, Duane Wessels wrote:
> On Jul 6, 2010, at 1:04 PM, Tim Verhoeven wrote:
> > So this needs to be configurable behavior. Does anyone know what the
> > policy on this is by the root zone ?
> The root zone also requires the DNSKEY to be present in the child zone.
> see http://www.root-dnssec.org/wp-content/uploads/2010/05/draft-trust-anchor-procedure.pdf
>     At the time of the trust anchor request, there must be a DNSKEY
>     that matches the DS record present in the child zone. 

The document seems to say that it is possible to publish a DS record
even if the corresponding DNSKEY is not present in the child zone, if it
is "by design and can can be demonstrated not to affect the stability of
the TLD or the root zone". Actually it seems that at least cz. has such
a DS record published in the root zone at the moment.



More information about the Opendnssec-user mailing list